from:"Fabrice Dagorn"

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

2017-04-01 Thread Fabrice Dagorn


The POC is a simple Eclipse java project.

UnsafeReceiver will open a ServerSocketReceiver on  port and wait 
forever.


Injector will then open a client Socket to the ServerSocketReceiver and 
serialize a Calculator instance through the wire.


Calculator implements ILoggingEvent to prevent ClassCastException on 
deserialization but Logback won't check more and getLoggerName() is called.


In this case, the gnome calculator is executed.


Regards,

Fabrice


Le 31/03/2017 à 14:10, Markus Koschany a écrit :

You could also attach the POC to this bug report. The vulnerability is
publicly known by now anyway.

Markus





poc_logback.tar.gz
Description: GNU Zip compressed data
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

2017-03-31 Thread Fabrice Dagorn


Hi,
I  have made a quick and dirty POC for this issue.
This results in a remote code execution in the JVM that exposes a 
ServerSocketReceiver.


Unfortunately, logback 1:1.1.9-2 is still vulnerable, not 1.2.x.

The POC is available on demand.

Regards,
Fabrice Dagorn

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

2017-03-29 Thread Fabrice Dagorn


Thank you for your upload.

But i think that the issue is not completely solved, upstream made it in 
several commits (https://github.com/qos-ch/logback/commits/v_1.2.0).


The comment is not meaningful but this one is related to the 
vulnerability : 
https://github.com/qos-ch/logback/commit/979b042cb1f0b4c1e5869ccc8912e68c39f769f9


Fabrice Dagorn

Le 28/03/2017 à 18:09, Debian Bug Tracking System a écrit :

This is an automatic notification regarding your Bug report
which was filed against the liblogback-java package:

#857343: logback: CVE-2017-5929: serialization vulnerability affecting the 
SocketServer and ServerSocketReceiver components

It has been closed by Markus Koschany <a...@debian.org>.

Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Markus Koschany 
<a...@debian.org> by
replying to this email.




__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#857343: (no subject)

2017-03-23 Thread Fabrice Dagorn


Dear Maintainer,
it's a serious security bug IMO, feel free to switch back to important 
if you disagree.


__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#857343: liblogback-java: logback < 1.2.0 has a vulnerability in SocketServer and ServerSocketReceiver

2017-03-10 Thread Fabrice Dagorn


CVE-2015-6420 is for Apache Commons, but this is the same issue.

Le 10/03/2017 à 10:15, Emmanuel Bourg a écrit :

Hi Fabrice,

Thank you for the report. Do you know if there is a CVE ID assigned to
this vulnerability?

Emmanuel Bourg



__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#857343: (no subject)

2017-03-10 Thread Fabrice Dagorn


tags security

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#857343: liblogback-java: logback < 1.2.0 has a vulnerability in SocketServer and ServerSocketReceiver

2017-03-10 Thread Fabrice Dagorn

Package: liblogback-java
Version: 1:1.1.2-1
Severity: important
Tags: upstream patch

Dear Maintainer,

logback versions in wheezy, jessie and stretch are vulnerable to a
deserialization issue.
Logback would try to deserialize data from a socket, but it can't be trusted.
Upstream mitigates this issue by adding a whitelist of allowed classes to be
deserialized.

I've prepared a patch for jessie.

Regards

-- System Information:
Debian Release: 8.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500,
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages liblogback-java depends on:
ii  libslf4j-java  1.7.7-1

liblogback-java recommends no packages.

Versions of packages liblogback-java suggests:
ii  glassfish-javaee  1:2.1.1-b31g+dfsg1-2
ii  libjanino-java2.7.0-2
diff -rPu logback.orig/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java logback/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java
--- logback.orig/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java	1970-01-01 01:00:00.0 +0100
+++ logback/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java	2017-03-04 15:39:00.0 +0100
@@ -0,0 +1,16 @@
+package ch.qos.logback.access.net;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+import ch.qos.logback.access.spi.AccessEvent;
+import ch.qos.logback.core.net.HardenedObjectInputStream;
+
+public class HardenedAccessEventInputStream extends HardenedObjectInputStream {
+
+public HardenedAccessEventInputStream(InputStream in) throws IOException {
+super(in, new String[] {AccessEvent.class.getName(), String[].class.getName()});
+}
+
+}
+
diff -rPu logback.orig/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java logback/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java
--- logback.orig/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java	2013-09-07 12:44:46.0 +0200
+++ logback/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java	2017-03-05 15:09:48.0 +0100
@@ -15,7 +15,6 @@
 
 import java.io.BufferedInputStream;
 import java.io.IOException;
-import java.io.ObjectInputStream;
 import java.net.Socket;
 
 import ch.qos.logback.access.spi.AccessContext;
@@ -42,16 +41,15 @@
 
   Socket socket;
   AccessContext context;
-  ObjectInputStream ois;
+  HardenedAccessEventInputStream hardenedOIS;
 
   public SocketNode(Socket socket, AccessContext context) {
 this.socket = socket;
 this.context = context;
 try {
-  ois = new ObjectInputStream(new BufferedInputStream(socket
-  .getInputStream()));
+  hardenedOIS = new HardenedAccessEventInputStream(new BufferedInputStream(socket.getInputStream()));
 } catch (Exception e) {
-  System.out.println("Could not open ObjectInputStream to " + socket + e);
+  System.out.println("Could not open HardenedObjectInputStream to " + socket + e);
 }
   }
 
@@ -61,7 +59,7 @@
 try {
   while (true) {
 // read an event from the wire
-event = (IAccessEvent) ois.readObject();
+event = (IAccessEvent) hardenedOIS.readObject();
 //check that the event should be logged
 if (context.getFilterChainDecision(event) == FilterReply.DENY) {
   break;
@@ -81,7 +79,7 @@
 }
 
 try {
-  ois.close();
+  hardenedOIS.close();
 } catch (Exception e) {
   System.out.println("Could not close connection." + e);
 }
diff -rPu logback.orig/logback-classic/src/main/java/ch/qos/logback/classic/net/HardenedLoggingEventInputStream.java logback/logback-classic/src/main/java/ch/qos/logback/classic/net/HardenedLoggingEventInputStream.java
--- logback.orig/logback-classic/src/main/java/ch/qos/logback/classic/net/HardenedLoggingEventInputStream.java	1970-01-01 01:00:00.0 +0100
+++ logback/logback-classic/src/main/java/ch/qos/logback/classic/net/HardenedLoggingEventInputStream.java	2017-03-05 15:14:25.0 +0100
@@ -0,0 +1,57 @@
+package ch.qos.logback.classic.net.server;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.slf4j.helpers.BasicMarker;
+
+import ch.qos.logback.classic.Level;
+import ch.qos.logback.classic.Logger;
+import ch.qos.logback.classic.spi.ClassPackagingData;
+import ch.qos.logback.classic.spi.IThrowableProxy;
+import ch.qos.logback.classic.spi.LoggerContextVO;
+import ch.qos.logback.classic.spi.LoggerRemoteView;
+import ch.qos.logback.classic.spi.LoggingEventVO;
+import ch.qos.logback.classic.spi.StackTraceElementProxy;
+import

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

Bug#857343: (no subject)

Bug#857343: liblogback-java: logback < 1.2.0 has a vulnerability in SocketServer and ServerSocketReceiver

Bug#857343: (no subject)

Bug#857343: liblogback-java: logback < 1.2.0 has a vulnerability in SocketServer and ServerSocketReceiver

7 matches

Site Navigation

Mail list logo

Footer information